Preparing for a NIST Risk Assessment

Regardless of your organization’s security posture, a NIST cyber risk assessment can add immense value to your business. The National Institute of Standards and Technology, or more commonly known as NIST, is a non-regulatory federal agency that develops standards for a plethora of commonly relied on services and products.

What sets NIST cybersecurity risk assessments apart from other risk assessments is NIST's overarching mission is to promote U.S. innovation and industrial competitiveness by advancing technology with the intention to enhance economic prosperity and improve the quality of life. In other words, something like a NIST gap analysis or NIST cybersecurity audit serves to bolster an organization’s competitiveness without just checking boxes on a controls list. In addition, NIST Cybersecurity Frameworks are routinely updated to ensure they are relevant to today’s rapidly evolving threat landscape.

Common Use Cases for Risk Assessments

U.S. Government organizations as well as many companies that do business with the U.S. Government, are required to adopt NIST standards in order to comply with Federal law. They and their subsidiaries must also be Cybersecurity Maturity Model Certification (CMMC) certified. The CMMC comes in different flavors but is leveraged by the US government to audit a contractor’s NIST compliance based on the 5 CMMC tiers. Regardless of whether a vendor engagement is pursued, contractors must adhere to at least a Level 1 CMMC certification, or the minimum security 72 controls. This makes it incredibly sought after as it is conservatively estimated that between 200,000-300,000 organizations fall under the eligibility requirement for a CMMC certification.

CMMC Levels

The intersection between a CMMC and NIST certification is that CMMC focuses on Controlled Unclassified Information (CUI) while NIST focuses on Non-Federal Organization (NFO) controls that aim to be a mandatory minimum of controls to address growing security threats. Attaining both a CMMC and NIST certification can greatly increase the trust of an organization’s current and prospective clients, while also establishing a cybersecurity aware reputation.

Silent Sector Compliance Solutions

NIST cybersecurity controls are open to all non-federal organizations. That being said, frameworks such as NIST Cybersecurity Framework (NIST CSF), provide a central methodology for managing cyber risk towards a specific industry. NIST CSF is designed to benefit critical infrastructure organizations the most as it helps guide decisions about risk management actions at every level of the business. This is in contrast to other frameworks like NIST Cybersecurity Framework Financial Services (NIST FFS), which are tailored to align the financial services sector with cybersecurity practices. NIST FFS is able to merge security with compliance through having financial institutions complete a NIST gap assessment; which is uncommon.

The gap assessment can then be used to create a risk profile by identifying control gaps and thus eliminate risk inviting vectors. Similarly, this profile can then be used to develop a plan to close the gaps and reach a tolerable level of residual risk that aligns with the organization’s mission. Banks and credit unions are on higher alert for fraud than they are for Operational Technology (OT) misconfiguration. Moreover, the threats and risks that apply to a financial institution may be irrelevant and even inapplicable for a company whose mission is oriented around manufacturing. Hence, the NIST frameworks offer a spectrum of risk assessments.

Organizations with a lower risk tolerance may benefit more from implementing a framework like NIST Special Publication (NIST SP). NIST SP takes a rather granular approach to cybersecurity. That is to say, all of the NIST risk assessments take a low-level approach, but NIST SP in particular has very thorough sub frameworks.  

Preparing for a NIST Risk Assessment

Once your organization has decided to move forward with a specific framework, the ensuing months will mandate you spend time customizing the framework for your specific industry or adjust the level of details that are the most complementary to your objectives. Think of it as a repeatable scientific process in which you implement and test that the controls are behaving as intended. 

Since each NIST cyber risk assessment touches on various domains, some audits may be more rewarding for you to pursue than others. For instance, because NIST FFS is highly favored for financial oriented institutions because there is already a substantial overlap with existing legal regulations like SOX. Adopting NIST FFS grants financial institutions the ability to more skillfully address security in the boardroom and better articulate needs based on their NIST FFS profile. On the other hand, organizations that frequently handle sensitive data for government or private entities may benefit more from NIST 800-171A, which focuses on information security.

The below graphic highlights how a CMMC Level 1 audit covers about 15% of the NIST SP 800-171A CUI controls. It is worth noting that organizations that handle top security clearance data may benefit more from NIST SP 800-53 compliance which is significantly more rigorous to attain. Nevertheless, it demonstrates a higher level of security attentiveness. A NIST 800-53 certification is also the equivalent of a CMMC Level 4-5 certification which to put into perspective mandates 156 or 171 controls.

A screenshot of a cell phone

Description automatically generated

 Image via Compliance Forge

Acronyms for readability

AC – Access Control

AT – Awareness Training

AU – Audit and Accountability

CM – Configuration Management

IA – Identification and Authentication

IR – Incident Response

MT – Maintenance of Information Systems

MP – Media Protection

PS – Personnel Security Policy and Procedures

PE – Physical and Environmental Protection

RA – Risk Assessment Policy and Procedures

CA – Security Assessment and Authorization Policy and Procedures

SC – System and Communications Protection Policy and Procedures

SI – System and Information Integrity Policy and Procedures

Moving Beyond Risk Assessments

When browsing for a NIST framework it is critical businesses understand their specific needs and clientele. Regardless of the NIST cybersecurity controls picked, organizations and the regulatory community stand to benefit. As the regulatory sector is better able to understand an institution’s baseline in comparison to industry state, national, and global risks. This ability to scope an organization’s cyber posture enhances US economic welfare at all levels. NIST cybersecurity audits, also enable institutions to focus more on core risk management missions through prioritizing NIST gap analysis elements and thereby freeing resources that can be applied to cybersecurity.

At the end of the day, the various NIST frameworks overlap in that they encourage organizations “Identify, Protect, Detect, and Respond” to events before they become incidents. NIST’s developers, of which is compiled by long standing security devotees and information security professionals, believe these are key to a sound security program. No longer are implementing controls enough. Instead, the shift must be focused to bridge controls and the risks that organizations today face.

Interested to hear how your organization can leverage a NIST cybersecurity framework to better manage your cybersecurity risk? Call Silent Sector today to connect with one of our security experts who will not only work with you to identify which framework is best for your business mission and operating landscape, but also help you conduct a “readiness” audit that will point out observations of high-risk areas you can address so that you can achieve certification.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.